Security flaw in French government messaging app exposed confidential conversations

The French government just launched its own messaging app called Tchap in order to protect conversations from hackers, private companies a...

The French government just launched its own messaging app called Tchap in order to protect conversations from hackers, private companies and foreign entities. But Elliot Alderson, also known as Baptiste Robert, immediately found a security flaw. He was able to create an account even though the service is supposed to be restricted to government officials.

Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open-source project called Riot, which is based on an open-source protocol called Matrix.

In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

Riot is a Matrix client that works on desktop and mobile. You can join rooms, start private conversations, share photos and do everything you’d expect from a modern messaging app. Here’s what it looks like:

Developing Tchap became essential as Emmanuel Macron’s campaign team relied heavily on Telegram — the French government still uses Telegram and WhatsApp for many sensitive conversations. By default, Telegram doesn’t use end-to-end encryption. In other words, people working for Telegram could easily read Macron’s conversations. It’s a serious security weakness.

Similarly, you don’t want the Ministry of Defense to use Slack to talk about sensitive operations. The U.S. government could potentially issue a warrant to access those conversations on Slack’s servers.

Tchap features end-to-end encryption, and encrypted messages are stored on French servers. Access is restricted to government officials, as you need to have an active email address that ends in @something.gouv.fr, or in @elysee.fr.

Yesterday, Alderson found out that you can create an account and access public channels even if you don’t have an official address. Adding @elysee.fr at the end of his email address was enough to receive the confirmation email to his real email address.

Alderson quickly disclosed the bug to the Matrix team. Matrix quickly issued a fix and deployed it. It was related to the identification system used by the French government.

According to Alderson, there’s a bug in the parsing method used in a well-known Python module. The bug hasn’t been fixed since July 2018.

The good news is that Tchap is officially launching today. The DINSIC managed to fix this security flaw just in time before the official launch and somebody could leverage it. In its press release, the government says that the DINSIC will launch a bug bounty program to identify other vulnerabilities.



from TechCrunch https://tcrn.ch/2UKvT4U
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Security flaw in French government messaging app exposed confidential conversations
Security flaw in French government messaging app exposed confidential conversations
https://techcrunch.com/wp-content/uploads/2019/04/home-communication.png
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2019/04/security-flaw-in-french-government.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2019/04/security-flaw-in-french-government.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy